Badwolf15002 Posted August 23, 2021 ID:1476425 Share Posted August 23, 2021 I ahve accidentally downloaded this virus. I dont have the csrss.exe but other stuff like zz.exe, ww31.exe and more. Everytime i delete the files they belong in they keep comming back. And i cant get malware bytes to install at all. When i do it restarts twice and says it fails. Link to post Share on other sites More sharing options...
Badwolf15002 Posted August 23, 2021 Author ID:1476427 Share Posted August 23, 2021 mbst-fix-results.txt These are the are the results from gathering logs. I want this off my computer! Its soo annoying how i cant remove it myself Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 23, 2021 ID:1476428 Share Posted August 23, 2021 (edited) @Badwolf15002 My name is Maurice. Let me know what nickname you prefer. Understand that there is a legitimate CSRSS by Windows so do not go deleting or changing things on your own. OK thanks for attaching the file. I will studay and get back to you. Thanks Amended. The file provided above is a text-type report about a repair option with the Support tool. It turned out it ( obviously) was not the ZIP that I need. Edited August 23, 2021 by Maurice Naggar re-amended Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 23, 2021 ID:1476429 Share Posted August 23, 2021 I need a report set for review. This is a report only. Please download MBST Support Tool Once you start it click Advanced > Gather Logs Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply , like displayed here. To send ( upload) attachments please click the "ADD Files" link . Then browse to where your file is located and select it and click the Open button. Link to post Share on other sites More sharing options...
Badwolf15002 Posted August 23, 2021 Author ID:1476432 Share Posted August 23, 2021 Just an FYI I have tried to delete the csrss file many times. It shows up in \user\(Username)\appdata\local\temp\csrss\ and C: \Windows\rss\csrss.exe But everytime i do it just reappears. How i delete them is i restart Windows and hold down the Shift key and ender command prompt that way and move around and use the command: rmdir /s (directory) I'v tried other methods but it all points to downloading MalwareBytes which for some reason refuses to install. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476441 Share Posted August 24, 2021 (edited) You and I are the only ones on this thread. I get notified of all replies. So there is no need to click the "QUOTE" when you do a reply. By the way, stick with me until I give the all clear. That is to say, this is not a one-shot & done. We will be doing several passes. Meantime, do not do any web surfing, nor online games. . As I mentioned before, kindly do not do any further attempts to get rid of stuff while I am guiding you on this case. There are several things going on all at once. There is a rogue "CSRSS" plus it is also tied to a scheduled task. PLUS there is a rogue / bogus "windefender" which is not the legitimate MS Defender. There are other suspects. . Here below is a custom run intended to quash the rogue CSRSS. Please take time to read carefully & apply all directions below. If you have a question, stop and ask me first. [ 1 ] As a next basic step, Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] We will use FRSTENGLISH.exe on Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Badwolf15002 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will rebuild the Winsock. It will run the Windows DISM tool to check the system. It is also intended to squash the rogue CSRSS ( the 'bad' ones / the non-legitimate ones). NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the user Downloads folder Fixlist.txt Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity We will do more after this. Persistence & patience are called for here. Stick with me because there will be more for later. Edited August 24, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476452 Share Posted August 24, 2021 Thanks. Good run / excellent actually. Except there is more to do. Even after this step below here. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. It may take several hours. Let me know the result of this. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. NOTE: The "rogue" actually auto-placed exclusions in MS Defender to exclude several spots where the 'booger' was stored. On the next round, I will have a secondary custom fix run for you. We are not done. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476524 Share Posted August 24, 2021 If presented with that option, Yes , do that. Later on after we are all done, you can download a good copy of the Kali Linux. I will shortly have a new cleanup task for this machine, There is more to be done. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476525 Share Posted August 24, 2021 We need to run one fix run while in SAFE mode of Windows Please just only read this all the way down ...before you begin. You may want to copy and Save these directions into a NOTEPAD file for later reference. The custom script on this post is ONLY for this machine and NO other. Delete the old Fixlist.txt on Downloads that is there from before. Then, Please Close / Exit any open work files ( if you have any ongoing at this point). Save any work. Exit out of other open apps that you yourself started at this session. This procedure will involve a Restart at the end of the run. Save this script file named FIXLIST.txt to Downloads folder. Fixlist.txt [ 2 ] NOW we need to Restart Windows into SAFE MODE ( just SAFE mode) . See this guide at Tenforumshttps://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html Now in SAFE mode of Windows. Using File Explorer, go to Downloads folder RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. IF Windows prompts you about running this, select YES to allow it to proceed. Click on FIX button. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. After the end of this run, Windows should be in normal mode. There will be more to do after this. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476528 Share Posted August 24, 2021 Thank you. That run seems to have managed to fully remove the rogues that had been in some temp sub-folders & seems to have removed the exclusions out of the exceptions section of MS Defender. That is hopefully good steps forward. Now, since this machine had had those sorts of issues, we do additional new scans. . I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Please make sure you attach the log report. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted August 24, 2021 Solution ID:1476545 Share Posted August 24, 2021 Thanks. Very worthwhile run. It found several potentially unwanted application ( PUA ) including a few coinminers. Earlier, I believe you mentioned a attempt to install Malwarebytes for Windows ran into some hitch. Lets try to do a new install of Malwarebytes for Windows. After that is done, then do a scan. [ A ] I'd suggest you save the download to the Desktop for ease of access. Otherwise, save the file to Downloads folder. 1. Download the offline installer from : https://downloads.malwarebytes.com/file/mb4_offline 2. Now, go to the folder location where saved. Right-click on the exe and select Run as Administrator and allow it to go forward. [ B ] In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top lin e to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
Badwolf15002 Posted August 24, 2021 Author ID:1476549 Share Posted August 24, 2021 So how bad was my computer? And how badly did i screw it up? Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476552 Share Posted August 24, 2021 (edited) If you were to read the whole report, you would see lots & lots of remarks No Action By User Please repeat the scan exactly as I stated above. Making real sure that you do a REVIEW after the scan phase & that you TICK the top left check-box so that ALL is slected & removed. Please make real sure to do that. No telling just how your machine got messed up .....just that it is likely from some download or other that was recently done. My best guess is that it was a Trickbot or similar malware. Pretty serious since it had made auto-exclusions onto MS Defender antivirus so that it would not be caught. Let me see the result from this Malwarebytes run. Edited August 24, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476562 Share Posted August 24, 2021 Thats's a lot better in that all items tagged were removed. Threats Detected: 72 Threats Quarantined: 72 . It's best to continue to do some other additional scans. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476578 Share Posted August 24, 2021 That is a worthwhile cleanup too. Now a pair of reports to check some statuses. These are just reports. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt [ 2 ] This is a different sort of report. Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. 😁 Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 24, 2021 ID:1476596 Share Posted August 24, 2021 Each of those 2 provide some insights & details about selected things. FSS on selected Windows services ( of the operating system). SecurityCheck about security software & whether some add-on apps are out of date as far as security patches. Good thing we ran these since FSS points out that the Windows Update service is AWOL ( something most likely knocked out by the former malware infection. We will do a fix below). [ A ] RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to a folder ( do not double click / do not 'run' the file / nor open Windows 10 Windows Update service Once it is saved, then we are needing to merge the files onto the system, as follows With you mouse, do a RIGHT-click on the file wuauserv.reg and select Merge Let it do that & insure it finishes ok. . [ B } These are called to your attention because they deserve your review and action for updates ! Out of date apps can make infection easier for the bad actors. Git version 2.29.2 v.2.29.2 Warning! Download Update Microsoft 365 - en-us v.16.0.13029.20344 Warning! Download UpdateHow Install Office updates? Oracle VM VirtualBox 6.1.22 v.6.1.22 Warning! Download Update WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update GIMP 2.10.22 v.2.10.22 Warning! Download Update Discord v.0.0.309 Warning! Download Update Zoom v.5.7.4 (804) Warning! Download Update Java 8 Update 291 (64-bit) v.8.0.2910.10 Warning! Download UpdateUninstall old version and install new one (jre-8u301-windows-x64.exe). VLC media player v.3.0.11 Warning! Download Update Google Chrome v.92.0.4515.107 Warning! Download Update Microsoft Edge v.91.0.864.48 Warning! Download Update Stick with me. We will do some beefing up of security for the web browsers on this machine. But I also would like for you to make time & do a run today to Microsoft Windows Update to insure this OS build is fully up-to-date. Select the Start (Windows) button from the bottom-left corner. Go to settings (gear icon). Select the Update & Security icon Choose the Windows Update tab in the left sidebar (circular arrows) Click the Check for updates button Accept all cumulative updates and feature updates that are listed at the top. Link to post Share on other sites More sharing options...
Badwolf15002 Posted August 24, 2021 Author ID:1476597 Share Posted August 24, 2021 Any chance i can not update windows? Or only update the security patches and not the other bloatware and garbage they like to add? Link to post Share on other sites More sharing options...
Badwolf15002 Posted August 24, 2021 Author ID:1476629 Share Posted August 24, 2021 Also If we are done i want to remove the logs etc i have uploaded. Mainly because that is information about my computer i dont want publicly xP Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2021 ID:1476752 Share Posted August 25, 2021 (edited) Keeping the Windows operating system safe requires keeping up with all security updates from Microsoft Windows Update. On a regular basis. That's done by having the Windows Update service on. And monitoring on a regular basis. The Microsoft August 2021 security updates cover 44 CVEs. Of these CVEs, 7 are rated Critical and 37 are rated Important in severity. This machine needs to get & apply the 2021-08 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5005033) Go to this link at the Microsoft Update Catalog. It's the first item listed. Download & save the filehttps://www.catalog.update.microsoft.com/Search.aspx?q=KB5005033 windows 10 20h2 for x64 It is the first one listed at that link. Download the file. SAVE it to your system. Then to actually apply that update. While in File Explorer, go to that .MSU file Do a Right click with your mouse on the .msu and then select OPEN. That should start the update process for that KB. Insure that it fully completes that run. . The run of the MIcrosoft MSRT tool is also an important thing to do. Download & save MSRT from this link https://www.microsoft.com/en-us/download/details.aspx?id=9905 at Microsoft Download Center Disregard the top part with what look like ads / promos. Scroll down & see the Download button Be sure to first SAVE the file to the Downloads folder or else, to the DESKTOP When download completed, do a RIGHT-click with the mouse pointer & choose RUN AS ADMINISTRATOR & allow it to go forward. IF prompted about are you sure, Reply YES. Next select QUICK scan. If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software. The Malicious Software Removal Tool scan log is located at: C:\Windows\Debug\mrt.log. . To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete mbst-grab-results.zip on the desktop Delete mb-support-1.8.4.896.exe on Downloads Delete esetonlinescanner.exe Delete fss.exe Delete securitycheck.exe Any other download file I had you download, you may delete. , No one else can get access to the files you uploaded who is not on the forum staff. There is no need to fret over the reports submitted. Even so, I have set all those posts to be hidden. . Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine. Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Stay safe. I wish you all the best. I am marking this case for closure. Edited August 25, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Recommended Posts